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Abstract 

In the problem of swarm computing, n agents wish to securely and distributively perform a 
computation on common inputs, in such a way that even if the entire memory contents of some of 
them are exposed, no information is revealed about the state of the computation. Recently, Dolev, 
Garay, Gilboa and Kolesnikov [ICS 2011] considered this problem in the setting of information- 
theoretic security, showing how to perform such computations on input streams of unbounded 
length. The cost of their solution, however, is exponential in the size of the Finite State Automaton 
(FSA) computing the function. 

In this work we are interested in efficient computation in the above model, at the expense of 
minimal additional assumptions. Relying on the existence of one-way functions, we show how to 
process a priori unbounded inputs (but of course, polynomial in the security parameter) at a cost 
linear in m, the number of FSA states. In particular, our algorithms achieve the following: 

— In the case of (n, n) -reconstruction (i.e. in which all n agents participate in reconstruction of 
the distributed computation) and at most n — 1 agents are corrupted, the agent storage, the 
time required to process each input symbol and the time complexity for reconstruction are all 

O(mn). 

— In the case of (t+1, ^-reconstruction (where only t+1 agents take part in the reconstruction) 
and at most t agents are corrupted, the agents' storage and time required to process each input 
symbol are 0(m("~ : j L )). The complexity of reconstruction is 0(m(t + 1)). 
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1 Introduction 



Distributed computing has become an integral part of a variety of systems, including cloud computing 
and "swarm" computing, where n agents perform a computation on common inputs. In these emerg- 
ing computing paradigms, security (i.e., privacy and correctness) of the computation is of a primary 
concern. Indeed, in swarm computing, often considered in military contexts (e.g., unmanned aerial 
vehicle (UAV) operation), security of the data and program state is of paramount importance; simi- 
larly, one persistent challenge in the field of cloud computing is ensuring the privacy of users' data, 
demanded by government, commercial, and even individual cloud users. 

In this work, we revisit the notion of never-ending private distributed computation, first considered 
by Dolev, Garay, Gilboa and Kolesnikov (7J. In such a computation, an unbounded sequence of 
commands (or inputs) are interpreted by several machines (agents) in a way that no information about 
the inputs as well as the state of the computation is revealed to an adversary who is able to "corrupt" 
the agents and examine their internal state, as long as up to a predetermined threshold of the machines 
are corrupted. 

Dolev et al. were able to provide very strong (unconditional, or information-theoretic) security 
for computations performed by a finite-state machine (FSA), at the price however of the computation 
being efficient only for a small set of functions, as in general the complexity of the computation is 
exponential in the size (number of states) of the FSA computing the function. 

In this work, we minimally weaken the original model by additionally assuming the existence 
of one-way functions (and hence consider polynomial-time adversaries — in the security parameter; 
more details below), and in return achieve very high efficiency as a function of the size of the FSA. 
We stress that we still consider computation on a priori unbounded number of inputs, and where the 
online (input-processing) phase incurs no communication. We now describe the model in more detail. 

The setting. As in jTJ, we consider a distributed computation setting in which a party, whom we 
refer to as the dealer, has a finite state automaton (FSA) A which accepts an {a priori unbounded) 
stream of inputs x\, x%, ■ ■ ■ received from an external source. The dealer delegates the computation 
to agents A\, . . . ,A n , by furnishing them with an implementation of A. The agents receive, in a 
synchronized manner, all the inputs for A during the online input-processing phase, where no com- 
munication whatsoever is allowed. Finally, given a signal from the dealer, the agents terminate the 
execution, submit their internal state to the dealer, who computes the state of A and returns it as 
output. 

We consider an attack model where an entitiy, called the adversary, Adv, is able to adaptively 
"corrupt" agents (i.e., inspect their internal state) during the online execution phase, up to a threshold^ 
t < n. We do not aim at maintaining the privacy of the automaton A; however, we wish to protect 
the secrecy of the state of A and the inputs' history. We note that Adv may have external informa- 
tion about the computation, such as partial inputs or length of the input sequence, state information, 
etc. This auxiliary information, together with the knowledge of A, may exclude the protection of 
certain configurations, or even fully determine „4's state. We stress that this cannot be avoided in any 
implementation, and we do not consider this an insecurity. Thus, our goal is to prevent the leakage 
or derivation by Adv of any knowledge from seeing the execution traces which Adv did not already 
possess. 

'indeed, the existence of one-way functions is considered a minimal assumption in contemporary cryptography. In 
particular, we do not allow the use of public-key cryptography. 

2 We note that more general access structures may be naturally employed with our constructions. 
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As mentioned above, our constructions relying on one-way functions dictates that the computa- 
tional power of entities (adversary, agents), be polynomially bounded (in k, the security parameter). 
Similarly, our protocols run on input streams of polynomial length. At the same time, we do not 
impose an a priori bound on its length; moreover, the size of the agents' state is independent of it. 
This allows to use agents of the same (small) complexity (storage and computational power) in all 
situations. 

Our contributions. Our work is the first significant extension of the work of fTI. Towards our 
goal of making never-ending and private distributed computation practical, we introduce an additional 
(minimal) assumption of existence of one-way functions (and hence pseudo-random number genera- 
tors [PRGs]), and propose the following constructions: 

- A scheme with (n, n) reconstruction (where all n agents participate in reconstruction), where 
the storage and processing time per input symbol is 0(mn) for each agent. The reconstruction 
complexity is 0{mn). 

— A scheme with (t + l,n) reconstruction (where t corrupted agents do not take part in the recon- 
struction), where the above costs are 0(m(™2i))|^] 

Regarding tools and techniques, the carefully orchestrated use of PRGs and secret- sharing tech- 
niques [15 ] allows our protocols to hide the state of the computation against an adaptive adversary 
by using share re-randomization. Typically, in the context of secret sharing, this is simply done by the 
addition of a suitable (i.e., passing through the origin) random polynomial. However, due to the no- 
communication requirement, share re -randomization is a lot more challenging in our setting. This is 
particularly so in the more general case of the (t + 1, n) -reconstruction protocol. We achieve share re- 
randomization by sharing PRG seeds among the players in a manner which allows players to achieve 
sufficient synchronization of their randomness, which is resilient to t corruptions. 

Related work. Reflecting a well-known phenomenon in distr ibuted computing, where a single point 
of failure needs to be avoided, a team of agents (e.g., UAVs) that collaborate in a mission is more 
robust than a single agent trying to complete a mission by itself (e.g., (l][3j). Several techniques 
have been suggested for this purpose; another related line of work is that of automaton splitting and 
replication, yielding designs that can tolerate faults and as well as provide some form of privacy of the 
computation (see, e.g., J5]-[9j). As mentioned above, only [7] addresses the unbounded-input-stream 
scenario. 

Recall that in secure multi-party computation (2||4||Tl|, n parties, some of which might be cor- 
rupted, are to compute an n-ary (public) function on their inputs, in such a way that no information is 
revealed about them beyond what is revealed by the function's output. At a high level, we similarly 
aim in our context to ensure the correctness and privacy of the distributed computation. However, 
as explained in (71, our setting is significantly different from that of MPC, and MPC definitions and 
solutions cannot be directly applied here. The reason is two-fold: MPC protects players individual 
inputs, whereas in our setting the inputs are common to all player. Secondly, and more importantly, 
MPC operates on inputs of fixed length, which would require an a priori estimate on the maximum 
input size s max and agents' storage linear in s max . While unbounded inputs could be processed, by 
for example processing them "in blocks," this would require communication during the online phase, 
which is not allowed in our setting. Refer to J7J for a more detailed discussion on the unbounded 
inputs setting vis-a-vis MPC's. 

3 For some values of t, e.g. t = §, this quantity would be exponential in n. This does not contradict our assumption on 
the computational power of the participants; it simply means that, given k, for some values of n and t this protocol cannot 
be executed in the allowed time. 
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Finally, we note that using recently proposed fully-homomorphic encryption (FHE) [10] (and 
follow-ups) trivially solves the problem we pose, as under FHE the agents can simply compute arbi- 
trary functions. In fact, plain additively homomorphic encryption (e.g., pj[ ) can be used to encrypt 
the current state of the FSA and non-interactively update it as computation progresses, in a manner 
similar to what is described in our constructions (see the high-level intuition in Section [3}. We note 
that, firstly, public-key encryption and, dramatically so, FHE, suffer from orders-of-magnitude com- 
putational overhead, as compared to the symmetric-key operations that we rely on. More importantly, 
in this work we aim at minimizing the assumptions needed for efficient unbounded private distributed 
computation. 

Organization of the paper. The remainder of the paper is organized as follows. In Section [2] we 
present in more detail the model, definitions and building blocks that we use throughout the paper. 
We dedicate Section [3] to a high-level description of our constructions, while in Section |4] we present 
them in detail. The full privacy analysis is presented in Section [5] 

2 Model and Definitions 

A finite-state automaton (FSA) A has a finite set of states ST, a finite alphabet S, and a transition 
function p : ST x S — > ST. In this work we do not assume an initial state or a terminal state for 
the automaton, i.e., it may begin its execution from any state and does not necessarily stop. 

We already described in the previous section the distributed computation setting — dealer, agents, 
adversary, and unbounded input stream — under which the FSA is to be executed. In more detail, we 
assume a global clock to which all agents are synchronized. We will assume that no more than one 
input symbol arrives during any clock tick. By input stream, we mean a sequence of input symbols 
arriving at a certain schedule of clock ticks. Abusing notation, we will sometimes refer to the input 
without explicit reference to the schedule. (We note that the global clock requirement can in principle 
be removed if we allow the input schedule to be leaked to Adv.) 

We also mentioned that Adv is allowed to corrupt agents as the execution of the protocol pro- 
ceeds. We consider the so-called passive or semi-honest adversary model, where corrupted agents can 
combine their views in order to learn protected information, but are not allowed to deviate from the 
protocol. Furthermore, each agent can be corrupted only once during an execution. When it does, 
Adv can view the entire contents of a corrupted agent's memory, but does not obtain any of the global 
inputs. 

Incidentally, we consider event processing by an agent as an atomic operation. That is, agents 
cannot be corrupted during an execution of state update. This is a natural and easily achievable 
assumption, which allows us to not worry about some tedious details. The computation is then con- 
sidered to be secure, if any two executions (possibly on different inputs and initial states — defined 
more formally below) are "similarly" distributed. 

This model of security for distributed computation on unbounded input streams was introduced by 
Dolev et al. jTJ as the progressive corruption model (PCM), allowing Adv to be computationally un- 
bounded, and in particular requiring that the distributions of the two executions (again, more formally 
defined below) be identical. 

In this work we use a variant of PCM, applying the following two weakenings to the PCM defini- 
tion: 

1 . Rather than requiring that the distributions of executions be identical, we require them to be com- 
putationally indistinguishable. This means that we guarantee security only against polynomial- 
time-bounded adversaries. 



3 



2. We require indistinguishability of executions for the same corruption timeline (and, of course, 
different input streams). This means that, for example, agent IDs are now allowed to be included 
in the agents' views. (We use agent IDs in one of our contructions.) We stress that this is not a 
significant security weakening, as essentially we only allow the adversary to differentiate among 
the agents' identities; the inputs and current state of the computation remain computationally 
hidden. 

We now present our amended PCM definition. We first formalize the notion of corruption timeline 
and the view of the adversary. 

Definition 1. A corruption timeline p is a sequence p = ((A\, n), . . . , (A^, r^)), where A\, . . . , A^ 
are the corrupted agents and n, . . . , (t\ < ... < 77J denote the time when the corresponding 
corruption took place. The length of a corruption timeline is \p\ = k. 

We denote by VIEW^ (X, s) the probability distribution of the aggregated internal states of cor- 
rupted agents at the time of corruption, when executed on input X and initial state s. 

Definition 2 (Computational Privacy in the Progressive Corruption Model). We say that a dis- 
tributed computation scheme U is i-private in the Progressive Corruption Model (PCM) if for every 
two states S\,S2 £ ST, polynomial-length input streams X\,X2, and any corruption timeline p, 
\p\<t, 

VIEWjpf!, si) « VIEW"(X 2 , S2 ). 
Here, denotes the computational indistinguishability of two distributions. 



2.1 Tools and Building Blocks 

A pseudo-random generator (PRG) G : X — > Y, where X and Y are typically of the form {0, l} k 
and {0, l} k+l , respectively, for some positive integers k, I. Recall that PRGs are known to exist based 
on the existence of one-way functions, and that the security property of a PRG guarantees that it is 
computationally infeasible to distinguish its output on a value chosen uniformly at random from X 
from a value chosen uniformly at random from Y (see, e.g., [12]). In our setting, we will further 
assume that the old values of the PRG seeds are securely erased by the agents upon use and hence are 
not included in the view of the adversary. 

The other basic tool that our protocols make use of is secret sharing [ 15 1, where essentially, a 
secret piece of information is "split" into shares and handed out to a set of players by a distinguished 
player called the dealer, in such a way that up to a threshold t < n of the players pulling together 
their shares are not able to learn anything about it, while t + 1 are able to reconstruct the secret. We 
present the specific instantiations of secret sharing as needed in the corresponding sections. 



3 Overview of Our Approach 

Let A be a publicly known automaton with m states. We assume that we have some ordering of the 
states of A, which are denoted by corresponding labels. Every agent stores the description of the 
automaton. In addition, during the computation, for every state Sj of A, every agent Ai computes 
and stores its current label &y As mentioned above, all agents receive a global input stream T = 
71, 72, ..-7i, ... and perform computation in synchronized time steps. 

At a high level, the main idea behind our constructions is that the state labels will be shares (a la 



secret sharing 1 15 1) of a secret which identifies the currently active state of A. More specifically, for 
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each of the m automaton states, the n state labels (held by the n agents) will be shares of a 1 if the 
state is currently active, and shares of a otherwise. We will show how the players' local computation 
on their shares will ensure that this property is maintained throughout the computation on the entire 
input stream V. When the input stream V is fully processed (or a stop signal is issued), the agents 
recover the current state by reconstructing the secrets corresponding to each automaton state. At the 
same time, shares of the secrets (when not taken all together) reveal no information on the current 
state of A. 

We now present additional high-level details on two variants of the approach above. Recall that we 
consider the semi-honest adversary model, where corrupted players are not allowed to deviate from 
the protocol, but combine their views in order to learn protected information. 

(n, n) -reconstruction. In this scenario, we require that all n agents participate in the reconstruction 
of the secret (corrupted players are considered semi-honest and hence honestly provide their computed 
shares). 

At the onset of computation, the shares are initialized using an (n, n) additive secret-sharing 
scheme, such that the initial state labels are the sharing of 1, and labels of each of the other states are 
shares of 0. When processing a global input symbol 7, each agent computes a new label for a state 
s by summing the previous labels of all states s' such that /j,(s',j) = s. It is easy to see that, due 
to the fact that we use additive secret sharing, the newly computed shares will maintain the desired 
secret-sharing property. Indeed, say that on input symbol 7, u states transition into state s. If all of 
them were inactive and their labels were shares of 0's, then the newly computed shares will encode 
a (as the sum of u zeros). Similarly, if one of the u predecessor states was active and and its label 
shared a 1, then the new active state s will also correspond to a share a 1. 

A technical problem arises in the case of "empty" states, i.e., those that do not have incoming 
transitions for symbol 7, and hence their labels are undefined. Indeed, to hide the state of the automa- 
ton from the adversary who corrupts agent(s), we need to ensure that each label is a random share 
of the appropriate secret. Hence, we need to generate a random 0-share for each empty state without 
communication among the agents. 

In the (n, n) sharing and reconstruction scenario, we will non-interactively generate these labels 
pseudo-randomly as follows. Each pair of agents (Ai, Aj) will be assigned a random PRG seed seedij 
Then, at each event (e.g., processing input symbol 7), each agent A{ will pseudo-randomly generate a 
string rj using each of the seeds seedij, and set the label of the empty state to be the sum of all strings 
77. This is done for each empty state independently. The PRG seeds are then (deterministically) 
"evolved" thereby erasing from the agent's view the knowledge of the labels' provenance, and making 
them all indistinguishable from random. As all agents are synchronized with respect to the input and 
the shared seeds, it is easy to see that the shares generated this way reconstruct a 0, since each string 
77 will be included twice in the total sum, and hence will cancel out (we will use an appropriate [e.g., 
XOR-based] secret-sharing scheme such that this is ensured.). 

Finally, and intuitively, we observe that PCM security will hold since the view of each corrupted 
agent only includes pseudo-randomly generated labels for each state and the current PRG seed value. 
As noted above, even when combined with the views of other corrupted players, the labels are still 
indistinguishable from random. 

(t + 1, n) -reconstruction. In this scenario, up to t corrupted agents do not take part in the recon- 
struction (this is motivated by the possibility of agents (UAVs) being captured or destroyed by the 
adversary). Agents who submit their inputs are doing so correctly. Thus, here we require n > 2t. 
We will take our (n, n) -reconstruction solution as the basis, and adapt and expand it as follows. 
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First, in order to enable reconstruction with t + 1 agents, we will use (t + l,n) additive secret-sharing 
(such as Shamir's p3|). Second, as before, we will use a PRG to generate labels, but now we will 
have a separate seed for each subset of agents of size n — t + 1. Then, at each event (e.g., processing 
of an input symbol), each agent A%, for each of the groups he belongs to, will update its shares by 
generating a random (t + 1, n) -secret sharing of a using the randomness generated by applying G 
to the group's seed. Then, agent Ai will use the share thus generated for the i-th agent as its own, and 
set the label of the empty state to be the sum of all such shares. 

Here we note that, since agents are excluded from some of the groups, and that in this scenario 
up to t agents might not return their state during reconstruction, special care must be taken in the 
generation of the re -randomizing polynomials so that all agents have invariantly consistent shares, 
even for groups they do not belong to, and that any set of agents of size t + 1 enable the reconstruction 
of the secrets. (See Section 4.2 for details.) The above is done for each empty state independently. As 
before, the PRG seeds are then (deterministically) evolved, making them all indistinguishable from 
random. 



Algorithm 1: Template algorithm for agent Ai, 1 < i < n, for label and state update. 
Input: An input symbol 7. 
Output: New labels for every state. 
1: if 7 is initialized then 

2: := J2k fi(s k j)=s ( tne sum * s calculated over some field F, depending on the scheme). 
3: end if 

4: for every T e T s.t. Ai £T do 

5: Compute B T S T <- G(seed^), where B T = b\b\...b T m , and bj G F, 1 < j < m. 

6: seed^+i := S T . 

7: for j = 1 to m do 

8: tj := tj + Rj, where Rj is a scheme-specific pseudo-random quantity. 

9: end for 

10: end for 



Remark 3.1. This approach reveals the length and schedule of the input T processed by the players. 
Indeed, the stored seeds (or more precisely, their evolution which is traceable by the adversary simply 
by corrupting at different times players who share a seed) do reveal to the adversary the number of 
times the update function has been invoked. We hide this information by by requiring the agents to 
run updates at each clock tick. 

Algorithm [T] summarizes the update operations performed by agent Ai (1 < i < n) during the 
r-th clock cycle. The key point is the generation of Rj, the label re-randomizing quantity. Notice also 
that in every clock cycle, there may or may not be an input symbol received by the agent; if the agent 
did not receive any input, we assume that the input symbol is not initialized. 



4 The Constructions in Detail 

4.1 The (n, n) -reconstruction protocol 

We start our formalization of the intuition presented above with the case where all n out of the n 
agents participate in the state reconstruction. The protocol for this case, which we call n( n ' n ), is 
presented below. 
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Protocol n( n ' n ). The protocol consists of three phases: 

Initialization. The dealer secret-shares among the agents a secret value for each state, such that the 
value for the initial state is 1 and for all the other states is 0. This is done as follows. Agent Ai 
(1 < i < n) is given a a random binary string x\x % 2...x l m , with the constraints that 

x \nit + x 1nit + ••• + x'init — 1 m °d 2, 

where init is the index of the initial state of the computation, and for every 1 < j / init < m, 

Xj + x) + ... + x] = mod 2. 
Each agent then proceeds to assign its state labels as ffj . 

Event Processing. Each agent runs Algorithm [T] updating its labels and computing the new seeds for 
the PRC Let T be the set of all possible agents' pairs. For line 8 of Algorithm[T] each agent Ai now 
computes 

TeT,Ai£T 




a 



Figure 1: The internal state of agent Ai before a transition. 

Reconstruction. All agents submit their internal states to the dealer, who reconstructs the secrets 
corresponding to each state, by adding (mod 2) the shares of each state, and determines and outputs 
the currently active state (the one whose reconstructed secret is 1). 

Before proving the correctness and privacy achieved by the protocol, we illustrate the operation 
of the online (Event Processing) phase with the following example; refer to Figures 1 and 2. The 
two figures describe the execution of the protocol on an automaton with four states and two possible 
inputs. Figure 1 presents the internal state of agent Ai after the (r — l)-th clock cycle. The agent 
holds the original automaton and has a label for each of the four states, {£\) r ^\, (£|) r _i, (£\) r -i and 

(4)r-l- 

Figure 2 shows the changes in the agent's internal state compared to Figure 1 after the r-th clock 
cycle. We also assume that in this clock cycle the agents receive an input symbol a. The new labels 
for each state are the sum of old labels and pseudo-random values. The labels in the sum are the old 
labels of all the states that transition to the current state given the input. Thus, the new (t 2 )r includes 
a sum of the old (^)r-i and the old (l\) r -i, while the new {l\) r doesn't include any labels in its sum 
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Figure 2: The internal state of agent A-i after an a transition. 



because there is no state that transitions to S3 after an a input. The pseudo-random addition to each 
state j = 1, . . . , 4 is the sum ^TieT^JV- 

We start by proving the correctness of the construction. 

Proposition 4.1. At every Event Processing step of ' protocoUl^ 71 ' 71 ^ 's, the secret corresponding to the 
current state in the computation is 1 and for all other states the secret is 0. 

Proof. The proof is by induction on the number of steps r that the automaton performs, i.e., the 
number of clock cycles. 

For the base case, if we consider the state of the protocol after the initialization step and before 
the first clock cycle, i.e., at r = 0, then the statement is true by our definition of the label assignments. 
Let us first consider the case where at the r-th step an input symbol j r from V is received. Following 
the protocol, agent AiS new label for state j becomes 

k : A t eT 
H{sk,Jr)=Sj 

Consider now the next state of the computation in the automaton; we wish to show that the secret 
corresponding to that state will be 1 . Let curr be the index of the current state of the automaton, and 
next be the index corresponding to the next state; by definition, p,{s curr , j r ) = s nex t. Then, 

pi , \ " pi _ 

*-next ^ / j 

k : 

H(s k ,~f r )=S next 

^curr + £ ^ + £(kj)r- 

k^curr : ieT 

M s fci7r) = SriEEi 

By the induction hypothesis, we know that 

n 

Ys^curr = l(mod 2) 

i=0 
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and for k ^ curr, 

n 

£4 = (mod 2). 

i=0 

Thus, if we will sum over all the agents: 



( 

kj^curr : iaT 

\ [J,{s k ,"1r)=Snext 



i=0 ky^curr : i=0 

A 1 ('5fc,7r)=S,ieii 

n 

+ ££(6j) r = l + = l(mod2). 

i=0 ieT 

This is because in Ym=i YlieT(Pj)r> every (6j) r appears exactly twice in this sum, once for every 
element in T. Using similar arguments one can see that all the other states will resolve to 0. 

In the case that in the r-th step no input symbol is received, due to the fact that we just add the 
random strings in the same way as in the case above, we again get that the secret corresponding to the 
current state of the computation is 1 , and for all others is 0. □ 

Proposition 4.2. Protocol H^ n ' n ^ is (n — l)-private in the PCM model according to Definition^ 

Proof sketch. Recall that the underlying observation is that when a corruption takes place (which 
cannot happen during the label-update procedure), the agent's state includes the current labels and 
PRG seeds which have already been evolved, and hence cannot be correlated with the label shares 
previously generated. 

Without loss of generality, consider the case where Adv corrupts all but one agent according 
to an arbitrary corruption timeline, and assume, say, agent A\ is not corrupted. We argue that the 
view of the adversary is indistinguishable from a view corresponding to (randomly) initialized agents 
A2, A n on the given automaton and any initial state. In other words, the view of the adversary is 
indistinguishable from the view he would obtain if he corrupted the agents simultaneously and before 
any input was processed. Once we prove that, the proposition follows. 

The view of each corrupted agent includes n—1 seeds that he shares with other agents and the FSA 
labels which are secret shares of or a 1. We argue that, from the point of view of the adversary, these 
labels are random shares of either or 1. This follows from the PRG property that an evolved seed 
cannot be correlated with a prior output of the PRG, and from the fact that A\ remains uncorrupted. 
Indeed, the newly generated "empty" states' labels look random since the adversary cannot link them 
to the PRG seeds in his view. The other states' labels look random to the adversary since they are 
XORed with j4i's label. 

Thus, the total view of the adversary consists of random shares of and 1, and is hence indistin- 
guishable from the one corresponding to the initial state. □ 

We now calculate time and storage complexity of T[( n < n \ At every step of the computation, each 
agent pseudo-randomly generates and XORs n—1 strings. Further, each agent holds a small constant- 
length label for each automaton state, and n — 1 PRG seeds, yielding an 0(m + n) memory require- 
ment. 
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4.2 The (t + 1, n) -reconstruction protocol 

Recall that in this case, up to t of the agents might not take part in the reconstruction, and thus n > 21 
A straightforward (albeit costly) solution to this scenario would be to execute U^ n ' n ^ independently 
for every subset of agents of size t + 1. This would involve each agent Ai holding ("T 1 ) copies of the 
automaton A, one copy for each such subset which includes Ai, and updating them all, as in U.( n > n \ 
according to the same input symbol. Now, during the reconstruction, the dealer can recover the output 
from any subset of t + 1 agents. The cost of this approach would be as follows. Every agent holds 
( n ~ 1 ) automata (one for every t+1 tuple that includes this agent), and executes n( n,n ), which requires 

0(m + t) memory, resulting in a total cost of 0(( n 7 ) " ( m + *))> w i m me cost °f computation per 
input symbol being proportional to storage's. 

We now present U.^ t+1 ' n \ an improved (t + l,n) reconstruction scheme, whose intuition was 
already presented in Section [3] The protocol uses Shamir's secret- sharing scheme |15|, which we 



now briefly review. Let F be a field of size greater than n, and s G F be the secret. The dealer 
randomly generates coefficients ci, C2, ct from F and construct the following polynomial of degree 
t, f(x) = s + c\x + C2X 2 + ... + qx*. The dealer gives each participant Ai, 1 < i < n, the value 
f(i). It can be easily seen that one can reconstruct the secret from any subset of at least t + 1 points, 
and no information about the secret is revealed by t points (or less). 

Protocol nS t+1 ' n }. As before, the protocol consists of three phases: 

Initialization. Using Shamir's secret sharing as described above, the dealer shares a secret 1 for the 
initial state and for all other states. In addition, the dealer generates a random seed for every set of 
n — (i — 1) = n — t + 1 agents, and gives each agent the seeds for the sets it belongs to. Let T be the 
set of all possible subsets of n — t + 1 agents. 

Event Processing. Each agent runs Algorithm [TJ updating its labels, as follows. 

Let T G T and j, 1 < j < m, be a state of the automaton. Upon obtaining value bj (refer 
to Algorithm Ml), the agents in T (individually) construct a degree-t polynomial, Pj, by defining its 
value on the following t + 1 field points: 0, all the points i such that Ai T, and k such that k is 
the minimal agent's index in T (the choice of which point in T is arbitrary). Now define Pj{fy = 0, 
Pf(i) = T, and Pj{k) = bj. 

Observe that by this definition, every agent A4 G T can use polynomial interpolation to compute 
Pj{i), since the only required information is bj (and the knowledge of set membership). 

Let polynomial Pj be defined as Pj = X^tgT • Each agent Ai now computes Pj{i) (note that 
this is possible since the values corresponding to sets the agent does not belong to is set to 0), and 
updates the j-th label, 1 < j < m, in Algorithm [I] by setting Rj = Pj(i) in line 8. 

Reconstruction. At least t+1 agents submit their internal state to the dealer, who, for every j = 
1, . . . ,m, views the j-th labels of t + 1 agents as shares in a Shamir secret- sharing scheme. The 
dealer reconstructs all the m secrets using the scheme's reconstruction procedure, and determines and 
outputs the currently active state (whose recovered secret is equal to 1). 

Proposition 4.3. At every Event Processing step of protocol ~n.( t+1 ' n \ the shared secret for the current 
state in the computation is 1 and for all the other ( inactive) states, the shared secret is 0. Furthermore, 
t + 1 agents can jointly reconstruct all secrets. 

Proof. We prove the proposition by induction on the number of clock cycles r. We show that at each 
clock cycle r, for every state Sj, the n labels £j, ... are points on a degree t polynomial Qj whose 
free coefficient is 1 if j is the current state and otherwise. 
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At initialization, the claim is true by our definition of the label assignments. 

Assume that the induction hypothesis is correct after r — 1. We prove the hypothesis for the r-th 
step. Assume first that in this step the agents receive an input letter 7 r , and denote the current state by 
Scurr- By our definition, the new label of the state j of agent % is 



E 4 + Pj 



k : 



or, equivalently, 

4<— E Qk(i)+Pj 



k : 

Ms/t,7r) = Sj 



For every j, 1 < j < m, define polynomial Qj as 

Q'j= E Qk + Pj- 

k : 

IJ-(Sk,1r) = Sj 

Therefore, Q'j(i) = & for every j and every i. In addition, since every Qk is of degree t and so is Pj, 
we deduce that Q'- is also of degree t. We finish proving the induction step by showing that Q 1 - (0) = 1 
only for the correct state. 

Let n(s curr ,j r ) = s nex t. By induction, Q curr (0) = 1 and Qj(0) = for any j / curr. 
Furthermore, by construction Pj(0) = 0, and therefore Q' curr {0) = 1. Since Qj(0) = for any 
j 7^ curr, we have that Qj(0) = for any j ^ next. 

If the agents do not receive any input symbol in the r-th clock cycle, then the claim follows by 
similar arguments as above. □ 

Proposition 4.4. n^ +1 ' n ) is t-private in the PCM model according to Definition^ 



At a high level, the proof follows the steps of the proof of Proposition 4.2 The full details of the 
privacy analysis are presented in Section [5] 

We now calculate the costs incurred by the protocol. The space complexity of each agent is as 
follows. An agent holds a label for every state, i.e. m • {\log\¥\\ + 1) bits. Additionally every 
agent holds ("T_ t ) = ClZi) seeds, where every seed is of size len. Thus, in total we have ( n t Z\) ■ 
len + m ■ (\log\W\] + 1) bits. Each step of the Event Processing phase requires 0(m("~^)) time 
for seed manipulation and field operations. Reconstruction (by the dealer) is just interpolation of m 
polynomials of degree t. 
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Supplementary Material: 



5 Privacy Analysis in Detail 



We show that each of our schemes in Sections 4.1 and 4.2 is computationally private in the PCM in 



two stages. In the first stage we construct for each scheme II and every possible corruption timeline 
p an intermediate scheme, 1(11, p). We prove that if the corruption timeline is p then the view of an 
adversary in /(IT, p) is independent of the state of the automaton. In other words, the adversary's view 
is distributed identically for any initial state and any sequence of input symbols. 

In the second stage we prove that the view of an adversary in II with any efficiently constructible 
corruption timeline p and any efficiently constructible input stream is computationally indistinguish- 
able from the adversary's view in /(II, p). We deduce that II is computationally private in the PCM. 

5.1 Constructing /(IT, p) 

Notation 1. Let Tl( ra ' n ) denote the scheme of Section^that requires al l the agents for reconstruction, 
and let n^Jg and Tl(* +1 ' n ) denote the threshold schemes of Section 



4.2 



We say that an adversary 

is appropriate for the scheme T[( n > n i if it corrupts at most n — 1 agents. We say that an adversary is 
appropriate for the nj^*' n ^ an< ^ Tl(* +1 ' n ) if schemes it corrupts at most t agents. 

Let II be one of the schemes U.( n ' n \ n^" 1 ^ or n(' +1 ' n ). II defines initial data that an agent A 
stores: a description of the automaton, a label for each node in the automaton and random seeds that 
are shared with other agents. For each scheme the domain of seeds is {0, l} Zen while the domain of 
labels is a field F. For example, in n.( n ' n ) the field is F = GF(2). The subsets of agents that share a 
single seed are specific to each scheme. The description of /(IT, p) follows. 

Initialization: An agent Ai is initialized with a description of the automaton as in II. For every subset 
of agents T such that Ai 6 T, if the agents in T share a seed in II that other agents do not have then 
Ai is initialized with m + 1 elements, seedy, Rj , . . . , R^. seedy is chosen uniformly at random 
from {0, 1} , while Rj , . . . , R^ are chosen uniformly at random and independently from F. Ai 
computes the initial label of the j-th state (indexed from 1 to to) over F as 



T,AeT 



for fixed coefficients ax £ F — {0}. 

The agent stores seedy but Rj ,. . .,Ry are deleted. 

Processing: Each of the schemes IT defines data processing for every clock cycle. This processing 
includes computing new values for each seed and new values for each node label. 

Computing new labels and seeds in /(IT, p) depends on the corruption timeline p, which is defined 
by a sequence p = ((A\,ti), . . . , (At, n)) such that the adversary corrupts agent Ai at time for 
i = 1, . . . , t and t\ < t% < . . . < Tf. 

An agent A in /(IT, p) begins updating seed^ only after the corruption of the first agent Ai that 
holds seed,Q. Therefore, at any time r, r < ti, we have that seed^ = seedy. If r > r» + 1 the agent 
modifies seed^ as IT specifies for updating a seed. 

An agent Ai in /(IT, p) begins updating a state label £j only after Ai is corrupted at time Tj. 
Therefore, when the adversary corrupts Ai it obtains the original label t- . For every clock cycle after 
Ti the agent modifies tj as IT specifies for updating a label. 
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5.2 Privacy of I (II, p) 



We show that if the corruption timeline is fixed to p then /(II, p) is private in the information-theoretic 
sense. In order to do so, we introduce the following definition and lemma. 

Definition 3. Let Abe a set of agents, let H = (A, £) be a hypergraph and let F be a finite field. We 
call H a distribution hypergraph, if for every T G £, there is an element R T chosen uniformly from 
F, such that every A G T holds R T and every A ^ T has no information on R T . 

Lemma 5.1. Let A be a set of agents and let H = (A, £) be a distribution hypergraph over a 
finite field F. Assume that each agent A; L uses a fixed set of public elements {a T }A i <^T> such that 
VT, a T G F — {0}, to compute a label 

e = J2 c?r t . 

Assume that an adversary that corrupts an agent Aj obtains both the agent's label P and its random 
strings R for all T such that Aj G T and its . Then, the label of any uncorrupted agent A{ is 
distributed independently of the adversary 's view if and only if for any subset of agents K that the 
adversary corrupts and for any agent Ai, Ai G" K, there exists a hyper-edge T G £, such that Ai G T 
andTC\K = 0. 

Proof. Let Ai be an agent such that Ai G" K and there exists a hyper-edge T G £, such that Ai G T 
and TDK = 0. Since R T is chosen uniformly at random from F, which is a field, and a T / we have 
that i l = J2t AiGT aT R T is distributed uniformly at random in F and furthemore l % is independent 
of the adversary's view. 

Conversely, assume that there exists an agent Ai K such that for every T, Ai G T, there exists 
an agent A, A / Ai, such that A G K n T. Then, the adversary obtains R T for every T such that 
Ai G T and can therefore compute l % without corrupting A^ □ 

Proposition 5.2. For each of the three possible schemes n( n ' n ) , I^tivf 1 > n(* +1,n ) and every corrup- 
tion timeline p, if the adversary is appropriate for the scheme H (IT G {U^ n,n \ I^naiv'e^ n( t+1 ' n )}) 
then I(H, p) is private in the following sense. For every two states S\,S2 G ST and for any two input 

streams Xi,X 2 G T*, VIEWp^ [Xi, si) = VIEWp^ (X 2 , s 2 ). Furthermore, all the state labels 
are random and independent elements in a finite field F. 

Proof. The view of an adversary /(II, p) is made up of the description of the automaton, the seeds 
and the labels. All of these are obtained from an agent at the moment of corruption. The description 
of the automaton is static. The distribution of the seeds depends only on p and as a consequence is 
independent of the initial state s and the input stream X. 

Therefore, the only data elements in the adversary's view that could depend on the initial state and 
the input stream are the state labels. 

However, just prior to the adversary corrupting an agent A, since the adversary is appropriate 
there is a subset of uncorrupted agents T such that A G T and all agents in T share a seed that is 
not known to any agent outside T. In I(H( n > n \ p), an appropriate adversary corrupts a total of at 
most n — 1 agents and just prior to corrupting an agent there are at least two uncorrupted agents. 
By the definition of n*™'™) this pair of agents, which we denote by T, shares a seed. Therefore, by 
the definition of I(H^ n ' n \p) the two agents share the elements seed^ , Rj , . . . , R^, which are all 
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random and independent of the adversary's view. Such subsets T of uncorrupted agents also exist in 

nn^r ) ) p)andi(n(*+^),p). 

By the construction of /(n( n ' n ) , p), before the corruption of A, the state labels of A, have their ini- 



tial value t- = Y^t AeT a -^j an( * therefore, by Lemma 5.1 these labels are random and independent 
of the adversary's view. 

Therefore, the adversary's view in I(Hi, p) with corruption timeline p is distributed identically for 
any initial state s and any input stream X. □ 

5.3 Computational Privacy of Yi^ , U^lf and n^ 1 -^ 

We complete the analysis by proving that n( ra ' n ), ^^aiv'e^ an( ^ n^ +1 ' n ^ are computationally private in 
the PCM. 

Notation 2. Let nbe a security parameter, let F be afield and let q(K,) be a polynomial. Let m,t,n and 
len be parameters such that t 2 ( n t zl)(m |F| + len) < q{n) and let G : {0, l} len — ► {0, l}™l F l+fen 
be a pseudo-random generator. Denote the uniform distribution on {0, i} m l F l+' e ™ fay JJ_ 

We regard VIEW"(X,s) as a random variable that represents the whole view of the adversary 
in n and regard VffiWjJn (X, s) as a reduction of that view to the first r clock cycles. Similarly, 

VIEW^' P ^ (X, s) represents the adversary's view of the first r clock cycles in /(II, p). 

Notation 3. Let II be one of the schemes n( n,n ) , IH*"^^ or Yl( t+1 > n ). For every r = 0, . . . , q(K) 
define H T to be a hybrid scheme which is identical to 1(11, p)for any clock cycle t' such that t' < t 
and is identical to Hfor any clock cycle t" such that t" > r. Define a sequence of random variables 
Yo, Yi, . . . , YqffA as follows. Select an arbitrary initial state s, select an input stream X from T q ^ 
and select a corruption timeline p = ((Ai, n), . . . , (At, Tf)) from p q<yK \ Y T is the view of an adversary 
for the scheme H T given the choices of s, X and p. 

It follows from the definition of the schemes Hq, . . . , H q i K \ that Hq is II and H q t K \ is /(II, p). 

Therefore, Y = VIEW^(X, s) and Y q{n) = VIEWp (n,p) (X, s). 

Note that H T is well defined for any r since the memory contents and the inputs of II and /(II, p) 
are all in the same domain (although the distribution of the memory contents is not identical). The 
only difference between II and 1(11, p) is the processing at each clock cycle. 

Proposition 5.3. Let II be one of the schemes n( n ' n ) , ^la^ue or lK* +1,n ). If the adversary is ap- 
propriate for n then VIEW]} (X , s) = VIEW I p {n,p) (X , s) for any initial state s, any efficiently con- 
structible corruption timeline p G p q ^ and any efficiently constructible input stream X G T q ( K \ 

Proof. We assume towards a contradiction that the views of an adversary in II and in /(II, p) are not 
computationally indistinguishable. Therefore, there exist a probabilistic, polynomial time algorithm 
D and a polynomial p(-) such that 

\D n -D mp) \-^- y 

for an infinite number of values k. Dji denotes Pr[/)(VIEW^ (X, s)) = 1] and Z)/(n,p) denotes 
Pr[Z)(VIEWp (IM pr,s)) = 1]. 
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We construct an algorithm D that distinguishes between t 2 (™_ 1 1 ) independent samples of U and 

t 2 (™~ ] L ) independent samples of G(seed) for a random seed G {0, l} len . Since t 2 (™ri) i s at most 
a polynomial in re, the algorithm D contradicts the assumption that G is a pseudo-random generator, 
thus proving the proposition. Denote the distribution on t 2 independent samples of U by Ui ong 
and denote the distribution on i 2 (™Zi) independent samples of G(seed) by Gi ong . 

Description of D: the algorithm receives as input a description of the automaton, re, n and t. In 
addition, the algorithm receives as input a binary string z of length t 2 ("Zi) (m\¥\ + len) and decides 
whether it is chosen from Ui ong or Gi ong by performing the following steps. 

1. Choose a random initial state s, select an input stream X from T q ^ and select a corruption 
timeline p = ((A 1 ,t 1 ), (A U T t )) from p«H 

2. Choose a random r in the range 1,2,..., q(n). 

3. Simulate the operation of the agents Ai, . . . , A t in the scheme I (II, p) for the first r — 1 clock 
cycles. 

4. In the r-th clock cycle all the agents that have already been corrupted, i.e. in cycles 1 to r — 1, 
execute II (which is identical to /(II, p) for a corrupted agent). For any uncorrupted player, 
including those that are corrupted in the r-th cycle do the following: 

(a) Update any seed that is shared with a corrupted player as specified by II (which is identical 
to the update process of /(II, p) for such seeds). 

(b) For any seed that is shared by set of uncorrupted agents T, select a fresh string of length 
m |F| + len from z and parse it as B T \\S T for S T G {0, l} len and B T = b\ , . . . , &£. 
Replace the previous seed with S T . 

(c) Recall that in every II the label of the j-th state, j = 1, . . . , m, is updated by a linear 
combination of previous state labels and of elements bj derived from expanded seeds. 
D updates the label in a similar way, except that for every T such that S T is shared by 
uncorrupted agents, bj is selected from z as described in the previous step instead of being 
selected from an expanded seed. 

5. Simulate the operation of the agents A±, . . . , A t in the scheme II for the last g(re) — r clock 
cycles. 

6. Throughout the simulation of the agents simulate the actions of an adversary with corruption 
timeline p. 

7. Run D on the adversary's view and return the result of D. 

We argue that if z is chosen from Ui ong then the view of the adversary that D simulates is Y T , 
while if z is chosen from Gi ong then the view of that adversary is Y T -\. Obviously, the view that the 
adversary obtains in the first r — 1 clock cycles is identical to the view in 1(11, p) and the view in the 
last q(n) — r clock cycles is identical to the view in II. Therefore, we need to prove that the view in 
the r-th clock cycle is identical to /(II, p) if z is uniformly random and identical to II if z is selected 
from Gi ong . 

/(II, p) specifies identical processing to II for corrupted agents and seeds shared by corrupted 
agents. Therefore, the differences are in seeds that are shared only by uncorrupted agents and in state 
labels of uncorrupted agents. 
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In the r-th clock cycle, D replaces seeds that are shared by uncorrupted agents with strings se- 
lected from z. If z is uniformly random then these seeds are uniformly random. Therefore, in this case 
the distribution of the seeds is identical to the distribution if I (II, p) is executed in the previous clock 
cycle, r — 1. If z is a sequence of elements of the form G(seed), where seed is random, then the new 
seed, S T is exactly as specified by II after a single clock tick. That is the expected distribution if the 
agents run II in the previous clock tick, r — 1. 

The state labels are updated by a linear combination in which the coefficients of each bj are non- 
zero. If z is uniformly random then each bj is a random field element in F and therefore each state 



label is a a random field element in F. By Proposition 5.2 that is identical to the distribution of state 
lables in 1(11, p). If z is a sequence of elements of the form G(s), where s is random, then the new 
label is exactly as specified by II after a single clock tick. 

The argument above shows that once r is given, D distinguishes between a sequence of uni- 
form elements and a sequence of pseudo-random elements with the same probability that D distin- 
guishes between Y T and Y T -\. Since r is chosen randomly in the range 1,2, .. . ,q(K) and since 
Y = VIEW^(X, s) and Y q{n) = VIEWp (n,p) (X, s) we have that 

-. <?( K ) 

Pr[D(G long = 1)] = ^Pr[ J D(y r ) = 1], 



and 



, ?(«) 

Pr[D(U long ) = 1] = ^Pr[ J D(y r _ 1 ) = 1]. 



Therefore, 



\Pr[D(G long = 1)] - Pr[D(U long ) = 1] | 
' \Pr[D(Y q{K) ) = l}-Pr[D(U) = l}\ > 



K 



1 



for an infinite number of values k. Since D distinguishes between Ui ong and Gi ong we deduce 
that G is not a pseudo-random generator and have thus reached a contradiction. □ 



At+l,n) 

jruf/iuic men inc Jt/ief/(ej J.X' ' , X- 

computationally private in the PCM. 



Theorem 5.4. If the adversary is appropriate then the schemes H^ n ' n \ 11^*^ and n(* +1,n ) are all 



Proof. By proposition 5.3 if the adversary is appropriate then for every efficiently constructible cor- 
ruption timeline p, p G p q<yK \ every two initial states s\,S2 and every two efficiently constructible 
input streams X U X 2 , such that X X ,X 2 G Y q ^ we have VIEW^(Xi, si) = VIEWp (n ' p) (X x , Sl ) 
and VIEWn(X 2 , s 2 ) = VIEWp (n,p) (X 2 , s 2 ). 



By Proposition |^2| we know that VIEWp (n ' p) {X\ , bj.) = VIEWp (n ' p) (X 2 , s 2 ). Therefore, 

VIEW^Xx, 81 ) = VIEW^X,, s 2 ). 

□ 
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